scsi security nuts and bolts - snia | advancing storage ... · scsi security nuts and bolts the...
TRANSCRIPT
SCSI Security Nuts and Bolts
Ralph Weber, ENDL Texas
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 22
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions:
Any slide or slides used must be reproduced without modificationThe SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee.
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 33
Abstract
SCSI Security Nuts and BoltsThe SCSI Command Sets are the lingua franca
of computer storage, the language by which computer systems and peripherals communicate to support the storage and retrieval of information -
the lifeblood of any modern business. SCSI has evolved from origins in the early 1980s in small
computers to support modern SANs
that interconnect ten of thousands of peripherals and servers. The latest SCSI standards projects underway in INCITS Technical Committee T10 define the creation of Security Associations, methods of deriving keys & performing strong mutual authentication, per-command security controls supporting multiple levels of protection, support for security protocols defined separately by multiple other standards organizations, and the control and operation of new security features within storage peripherals themselves. This session will cover these new features in detail, and will highlight the new requirements that these features will place on the operation and management of future computer systems
and their storage configurations.
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 4
Notice
The authors are NOT attorneys, and nothing in this presentation is intended to be (and should not be) construed as legal advice or opinion. If you need legal advice or a legal opinion, please contact an attorney.The information presented herein represents the authors’
personal opinions and understanding of the issues involved. The author, contributors, presenter, conference host, and SNIA DO NOT
assume any responsibility or liability for
damages arising out of any reliance on or use of this information.
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 5
Agenda
50,000' ViewHistory, Terms, Puzzle (some trees –
some forest), etc.
Management ConcernsNuts and BoltsLoose Ends
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 6
This History of SCSI (in one slide)
SCSI-2
Parallel BusDisksTapes…
1980 — 1989
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 7
This History of SCSI (in one slide)
SCSI-2
Transports
Parallel BusFibre Channel
Commands
Block (Disks)Stream (Tapes, Printers)
1980 — 1989 1990
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 8
This History of SCSI (in one slide)
SCSI-2
Transports
Parallel BusFibre Channel
Commands
Block (Disks)Stream (Tapes, Printers)
Glue
ArchitectureShared Commands
1980 — 1989 1990
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 9
This History of SCSI (in one slide)
SCSI-2
Transports
SPI-xFCP-xSAS-xSBP-x (Firewire)ADT-x (robotics)iSCSIUSB Bulk Transport
Commands
SBC-x/RBC (Disks)SSC-x (Tapes)SES-x (Enclosures)SMC-x (Media Changers)OSD-x (Object Storage)Optical Card Reader
Architecture (SAM-x)Shared Commands(SPC-x)
1980 — 1989 1990 Today
Key:Developed by T10(www.t10.org)Developed by T10and other groupsDeveloped exclusivelyby other groups
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 10
Security Enforcement Points
Transport SecurityAffects all commands
and dataProtection from
Wire tapsHackers on the network
SCSI TransportsUSBSASFibre ChanneliSCSI
Command SecurityAffects one command only
Command dataNot Command itselfNot User data
Protection fromCreative
softwareHackers on the network
Check out SNIA Tutorial:
IP Storage Protocols - iSCSI
Check out SNIA Tutorial:
Fibre Channel Technologies: Current and Future
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 11
Ultimate Security Enforcement Point
End-Point
Command Security Command Security
Transport Security
An End-Point
Uses a Command
That is sent across a Transport
… To another End-Point
End-Point
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 12
End-Point Postscript
Warning: The definition of End-Point
is fuzzy.
HBA (Host Bus Adapter)
builders see End-Point
as the HBA
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 13
End-Point Postscript
Warning: The definition of End-Point
is fuzzy.
HBA builders see End-Point
as the HBA
Applications see End-Point
as their program
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 14
Transport Level Security
Authenticates Hardware (HBAs
& Drive Ports)Hardware-based encryptionEncrypts/Integrity Checks Whole Frames
iSCSIIKE —
Authentication and Key ExchangesIPsec
— Encryption and Integrity CheckingMACSec
— Ethernet Encryption and Integrity Checking
Fibre ChannelFC-SP —
Clones of IKE and IPsec
all in one package
Check out SNIA Tutorial:
ABCs of Encryption
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 15
Command Level Security
Authenticates Builder of the CommandMight authenticate the program image
Software-based encryptionEncrypts/Integrity Checks Only Specific Data
Command Data (as currently defined)
Encrypt a Tape-Data-Encryption key in transit
from Host to Drive
Not User Data
See SPC-4 (SCSI Primary Commands)
and other command standards
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 16
Security Toolbox
AuthenticationExample: Driver’s License Check
Integrity CheckingExample: Notarized Copy
EncryptionExample: Pig Latin
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 17
Security Jigsaw Puzzle
Several ways to do the same thing (using Tape-Data-Encryption keys as an example)
Transport Level Encryption(Hardware) Encrypt everythingIncluding the Tape-Data-Encryption keys
Command Level EncryptionSetup Security Association (extra commands)(Software) Encrypt just the Tape-Data-Encryption keys
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 18
Solving the Security Jigsaw Puzzle
No Right (one size fits all)
AnswerEncrypting everything may be overkill
If (for example) the only family jewel on the link is the Tape-Data-Encryption key
New Site-Specific Customization OpportunitiesWhat to secure ... Where?
Product Manufacturers Will HelpPromote standardsSuggest best product uses
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 19
Agenda
50,000' ViewManagement Concerns
Distributing Authentication InfoHow to AuthenticateWhat to AuthenticateWhere to Authenticate
Nuts and BoltsLoose Ends
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 20
Distributing the Authentication Info
Security Job One is Always Authentication
Multiple Ways to AuthenticateMultiple Things That Can Be AuthenticatedMultiple Places to Authenticate
Governmental Agencies May Help Make These Choices
Check out SNIA Tutorial:
Information Security and IT Compliance
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 21
Distributing the Authentication Info
Multiple Ways to Authenticate DevicesCertificates (aka Public Key Infrastructure)Shared Secrets (aka passwords)
Multiple Things That Can Be AuthenticatedDevices/PortsUsersPrograms
Multiple Places to AuthenticateIn the End DevicesCentral Security Server (e.g., RADIUS)
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 22
How to Authenticate
Multiple Ways to Authenticate DevicesCertificatesShared Secrets (aka passwords)
Certificates Require a Public Key InfrastructureBooks have been written on thisMaybe you already have a PKI
Shared Secrets Must Be EstablishedCentralized Password or Secret Management
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 23
What to Authenticate
Multiple Things That Can Be AuthenticatedDevices/PortsUsersPrograms
Affects Where the Authentication Material Must be Distributed too
Softer authentication objects
might be harder to supply with an authentication identity
Standardization for this is in its infancyWhat your gut says is right may not be supported
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 24
Where to Authenticate
Multiple Places to AuthenticateIn the End Devices
More Management by Walking Around
Central Security Server (e.g., RADIUS)More Lines-of-Communication Concerns
Well-Designed Security Features Always Give You This Choice
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 25
Agenda
50,000' ViewManagement ConcernsNuts and Bolts
Transport Security (not much new)Command Security (very interesting)
Loose Ends
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 26
Transport Security
Authenticates Hardware (HBAs
& Drive Ports)
Hardware-based encryption
Encrypts/Integrity Checks Whole Frames
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 27
Command Security
New
Commands
New
SAs
(Security Associations) for Command Uses
New
Command-Parameter Data Encryption and/or Integrity Checking
New
Extensions to Commands
New
Capability-Based Security on Commands
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 28
Security Commands
SECURITY PROTOCOL IN/OUT Command~225 protocol codes still available for T10 assignment
Five protocols already used by T10IEEE 1667 Host AuthenticationATA Drive LockingSD Card TrustedFlash
(www.sdcard.org)
Six protocols assigned to the Trusted Computing Group (www.trustedcomputinggroup.org)16 Vendor Specific
Check out SNIA Tutorial:
TCG Trusted Storage Specifications
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 29
SECURITY PROTOCOL IN/OUT
Very FlexibleSee list of existing uses
Mostly a Data-Transfer ShellContents Always More Interesting Than Vessel
Widespread Tendency to AbbreviateSPIN
and SPOUT
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 30
Command-Based SAs
Setup via a Pair of SPIN/SPOUT ProtocolsDetermine Supported Features (one command)
Create the SA (two or four commands)
Identified by Indices (but with differences from Transport SAs)
Two SAs
per Creation Operation (In and Out)Best fit for SCSI command structure
Index called SAI (Security Association Index) not SPI (Security Parameters Index)
because SPI is the name of the Parallel Bus standardNumerous differences in the details too
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 31
Command-Based SAs
SA Pair is Not Qualified by I_T NexusUse Not Limited to One Pair of SCSI DevicesDevice Server Required to Assign a Unique SAI
to Every SA It CreatesHosts Can
Exchange SA Information Out-of-Band andUse SAs
Across Any Port
How useful this will be is yet to be seen
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 32
Command Data Encryption
Define an SA to SpecifyType of EncryptionType of Integrity Checking
Use SA to Protect
One or More Fields in Command- Related Data
Encrypt Some DataEncrypt All Data
Ready-to-Use Tools in SPC-4Used by:
Tape-Data-Encryption KeysCapability-Based Command Security Credentials
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 33
CDB Extensions
General Mechanism for Adding Chunks of New Data to Every CDB (Command Data Block)
Better than defining hundreds of new CDBs
UsesPer-Command Quality of ServicePer-Command Usage ClassificationCapability-Based Command Security Extensions…
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 34
Credential-Based Command Security
Authenticate With Credential ServerMaybe with SA, maybe other mechanism
Request CredentialEncrypt Credential using above mentioned SA
Extend CDB by Adding CredentialSee CDB Extensions in previous slide
Manage Access to a ResourceDefined for Disks, Tapes, and Media Changers
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 35
Credential-Based Command Security
Authenticate With Credential ServerMaybe with SA, maybe other mechanism
Request CredentialEncrypt Credential using above mentioned SA
Extend CDB by Adding CredentialSee CDB Extensions in previous slide
Manage Access to a ResourceDefined for Disks, Tapes, and Media Changers
Much Like Standard OSD (Object-based Storage Device)
Security Feature
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 36
Agenda
50,000' ViewManagement ConcernsNuts and BoltsLoose Ends
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 37
Where Is All This Headed?
The Sky’s the LimitReservations with Authenticated Access RestrictionsNon-Credential Command Security
Some people think Credential-Based Command Security is too complex
Command level SAs
seed Transport level SAs
Work With Your Equipment Vendors to Request Features You Need
Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 3838
Q&A / Feedback
Please send any questions or comments on this presentation to SNIA: [email protected]
Many thanks to the following individuals for their contributions to this tutorial.
-
SNIA Education Committee
Roger Cummings